A newly identified Linux malware framework has a highly modular design and capabilities that focus on cloud environments, Check Point reports.
Dubbed VoidLink, the framework consists of custom loaders, implants, and rootkits, and was purpose-built for long-term access to Linux systems.
The cloud-first implant was written in the Zig programming language and designed to identify major cloud environments, such as AWS, GCP, Azure, Alibaba, and Tencent, as well as Kubernetes pods and Docker containers, and adjust its behavior accordingly.
VoidLink can steal credentials for cloud, Git, and other source code version control systems, and Check Point believes it is likely targeted at software engineers, either for espionage or supply-chain attacks.
Likely created in a Chinese-affiliated development environment, the framework is still work in progress, but already contains a broad feature set, along with a development API inspired by Cobalt Strike, and is rapidly evolving.
“It includes rootkit-style capabilities (LD_PRELOAD, LKM, and eBPF), an in-memory plugin system for extending functionality, and adaptive stealth that adjusts runtime evasion based on the security products it detects, favoring operational security over performance in monitored environments,” Check Point notes.
VoidLink is deployed using a two-stage loader. Upon initialization, it enumerates the system’s security tools and hardening measures to calculate a risk score and an evasion strategy that its modules then use for increased stealth.
The framework supports multiple command-and-control (C&C) communication channels, such as HTTP/HTTPS, ICMP, and DNS tunneling, as well as P2P/mesh-style communication between infected systems.
The framework creates a profile of host behavior to adapt C&C communication intervals, has a stealth module containing rootkits targeting various kernel versions that are deployed based on the infected environment, and contains several anti-analysis mechanisms.
VoidLink’s operators can control agents, implants, and plugins via a web-based dashboard localized for Chinese users.
The dashboard allows operators to deploy 37 VoidLink plugins for various post-exploitation activities, enabling them to perform reconnaissance, lateral movement, persistence, process injection, credential access, and evidence deletion.
A build interface allows threat actors to generate customized implants with specific capabilities and stealth parameters that can be changed at runtime.
“The framework’s intended use remains unclear, and as of this writing, no evidence of real-world infections has been observed. The way it is built suggests it may ultimately be positioned for commercial use, either as a product offering or as a framework developed for a customer,” Check Point notes.
Related: MacSync macOS Malware Distributed via Signed Swift Application
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
Related: US Organizations Warned of Chinese Malware Used for Long-Term Persistence
Related: New Albiriox Android Malware Developed by Russian Cybercriminals
